Retbleed

Last updated March 27, 2024

Retbleed is a speculative execution attack on x86-64 and ARM processors, including some recent Intel and AMD chips.^[1]^[2] First made public in 2022, it is a variant of the Spectre vulnerability which exploits retpoline, which was a mitigation for speculative execution attacks.^[3]

According to the researchers, Retbleed mitigations require extensive changes to the system which results in up to 14% and 39% performance loss on Linux for affected AMD and Intel CPU respectively.^[4] The PoC works against Intel Core 6th, 7th and 8th generation microarchitectures and AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

An official document from ARM informs that all ARM CPUs affected by Spectre are also affected by Retbleed.^[2]

Windows is not vulnerable because the existing mitigations already tackle it.^[1] Linux kernels 5.18.14 and 5.19 contain the fixes.^[5]^[6] The 32-bit Linux kernel, which is vulnerable, will not receive updates to fix the issue.^[7]

Related Research Articles

W^X is a security feature in operating systems and virtual machines. It is a memory protection policy whereby every page in a process's or kernel's address space may be either writable or executable, but not both. Without such protection, a program can write CPU instructions in an area of memory intended for data and then run those instructions. This can be dangerous if the writer of the memory is malicious. W^X is the Unix-like terminology for a strict use of the general concept of executable space protection, controlled via the mprotect system call.

The Time Stamp Counter (TSC) is a 64-bit register present on all x86 processors since the Pentium. It counts the number of CPU cycles since its reset. The instruction RDTSC returns the TSC in EDX:EAX. In x86-64 mode, RDTSC also clears the upper 32 bits of RAX and RDX. Its opcode is 0F 31. Pentium competitors such as the Cyrix 6x86 did not always have a TSC and may consider RDTSC an illegal instruction. Cyrix included a Time Stamp Counter in their MII.

Dynamic frequency scaling is a power management technique in computer architecture whereby the frequency of a microprocessor can be automatically adjusted "on the fly" depending on the actual needs, to conserve power and reduce the amount of heat generated by the chip. Dynamic frequency scaling helps preserve battery on mobile devices and decrease cooling cost and noise on quiet computing settings, or can be useful as a security measure for overheated systems.

Advanced Vector Extensions are SIMD extensions to the x86 instruction set architecture for microprocessors from Intel and Advanced Micro Devices (AMD). They were proposed by Intel in March 2008 and first supported by Intel with the Sandy Bridge processor shipping in Q1 2011 and later by AMD with the Bulldozer processor shipping in Q3 2011. AVX provides new features, new instructions, and a new coding scheme.

Second Level Address Translation (SLAT), also known as nested paging, is a hardware-assisted virtualization technology which makes it possible to avoid the overhead associated with software-managed shadow page tables.

RDRAND is an instruction for returning random numbers from an Intel on-chip hardware random number generator which has been seeded by an on-chip entropy source. Intel introduced the feature around 2012, and AMD added support for the instruction in June 2015.

Intel Software Guard Extensions (SGX) is a set of instruction codes implementing trusted execution environment that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected private regions of memory, called enclaves. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.

Ryzen is a brand of multi-core x86-64 microprocessors designed and marketed by Advanced Micro Devices (AMD) for desktop, mobile, server, and embedded platforms based on the Zen microarchitecture. It consists of central processing units (CPUs) marketed for mainstream, enthusiast, server, and workstation segments and accelerated processing units (APUs) marketed for mainstream and entry-level segments and embedded systems applications.

Kernel page-table isolation is a Linux kernel feature that mitigates the Meltdown security vulnerability and improves kernel hardening against attempts to bypass kernel address space layout randomization (KASLR). It works by better isolating user space and kernel space memory. KPTI was merged into Linux kernel version 4.15, and backported to Linux kernels 4.14.11, 4.9.75, and 4.4.110. Windows and macOS released similar updates. KPTI does not address the related Spectre vulnerability.

Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

Spectre is one of the two original transient execution CPU vulnerabilities, which involve microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

Speculative Store Bypass (SSB) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG, it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".

Lazy FPU state leak, also referred to as Lazy FP State Restore or LazyFP, is a security vulnerability affecting Intel Core CPUs. The vulnerability is caused by a combination of flaws in the speculative execution technology present within the affected CPUs and how certain operating systems handle context switching on the floating point unit (FPU). By exploiting this vulnerability, a local process can leak the content of the FPU registers that belong to another process. This vulnerability is related to the Spectre and Meltdown vulnerabilities that were publicly disclosed in January 2018.

Foreshadow, known as L1 Terminal Fault (L1TF) by Intel, is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018. The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds. There are two versions: the first version (original/Foreshadow) targets data from SGX enclaves; and the second version (next-generation/Foreshadow-NG) targets virtual machines (VMs), hypervisors (VMM), operating systems (OS) kernel memory, and System Management Mode (SMM) memory. A listing of affected Intel hardware has been posted.

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

Transient execution CPU vulnerabilities are vulnerabilities in a computer system in which a speculative execution optimization implemented in a microprocessor is exploited to leak secret data to an unauthorized party. The archetype is Spectre, and transient execution attacks like Spectre belong to the cache-attack category, one of several categories of side-channel attacks. Since January 2018 many different cache-attack vulnerabilities have been identified.

SWAPGS, also known as Spectre variant 1, is a computer security vulnerability that utilizes the branch prediction used in modern microprocessors. Most processors use a form of speculative execution, this feature allows the processors to make educated guesses about the instructions that will most likely need to be executed in the near future. This speculation can leave traces in the cache, which attackers use to extract data using a timing attack, similar to side-channel exploitation of Spectre.

Downfall, known as Gather Data Sampling (GDS) by Intel, is a computer security vulnerability found in 6th through 11th generations of consumer and 1st through 4th generations of Xeon Intel x86-64 microprocessors. It is a transient execution CPU vulnerability which relies on speculative execution of Advanced Vector Extensions (AVX) instructions to reveal the content of vector registers.

References

1 2 Claburn, Thomas. "AMD, Intel chips vulnerable to 'Retbleed' Spectre variant". www.theregister.com. Retrieved 2022-07-12.
1 2 ARM Developer. "Q: Are Arm CPUs affected by the RETBLEED side-channel disclosed on the 13th July 2022?" . Retrieved 2022-07-13.
↑ Goodin, Dan (2022-07-12). "Intel and AMD CPUs vulnerable to a new speculative execution attack". Ars Technica. Retrieved 2022-07-12.
↑ ETH Zurich Computer Security Group. "Retbleed: Arbitrary Speculative Code Execution with Return Instructions" . Retrieved 2022-07-13.
↑ "Stable kernels 5.18.14 and 5.15.57 [LWN.net]". lwn.net. Retrieved 2022-08-06.
↑ Sharwood, Simon (2022-07-17). "Torvalds: Linux kernel team has sorted Retbleed chip flaw". www.theregister.com. Retrieved 2022-09-13.
↑ Michael Larabel (2022-07-24). "Linux x86 32-bit Is Vulnerable To Retbleed But Don't Expect It To Get Fixed". phoronix.com.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] 1 2 Claburn, Thomas. "AMD, Intel chips vulnerable to 'Retbleed' Spectre variant". www.theregister.com. Retrieved 2022-07-12.

[arm-retbleed-official-2] 1 2 ARM Developer. "Q: Are Arm CPUs affected by the RETBLEED side-channel disclosed on the 13th July 2022?" . Retrieved 2022-07-13.

[3] Goodin, Dan (2022-07-12). "Intel and AMD CPUs vulnerable to a new speculative execution attack". Ars Technica. Retrieved 2022-07-12.

[retbleed-official-4] ETH Zurich Computer Security Group. "Retbleed: Arbitrary Speculative Code Execution with Return Instructions" . Retrieved 2022-07-13.

[5] "Stable kernels 5.18.14 and 5.15.57 [LWN.net]". lwn.net. Retrieved 2022-08-06.

[6] Sharwood, Simon (2022-07-17). "Torvalds: Linux kernel team has sorted Retbleed chip flaw". www.theregister.com. Retrieved 2022-09-13.

[7] Michael Larabel (2022-07-24). "Linux x86 32-bit Is Vulnerable To Retbleed But Don't Expect It To Get Fixed". phoronix.com.

[1]

[2]

[3]

[4]

[5]

[6]

[7]